Skip to content

feat(security): add CSP, Permissions-Policy and a request body limit#477

Open
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:feat/http-hardening
Open

feat(security): add CSP, Permissions-Policy and a request body limit#477
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:feat/http-hardening

Conversation

@NickAldewereld

Copy link
Copy Markdown

Two small HTTP-layer hardening changes in server.ts:

  • Security headers: secureHeaders() was called with no options, so no Content-Security-Policy or Permissions-Policy was emitted (HSTS / nosniff / X-Frame-Options were already on by default). Adds an explicit CSP (default-src 'self', object-src 'none', frame-ancestors 'none', …) and a minimal Permissions-Policy. The CSP allows 'unsafe-inline' for styles and data: images/fonts, which the client currently needs.
  • Request body limit: adds hono/body-limit sized to maxEncryptedPayloadLength (+ envelope). Without it, request bodies were fully buffered and JSON-parsed into memory before the per-note size check, so an oversized body was buffered in full before rejection. With the limit, oversized bodies are rejected while streaming.

Lint, typecheck, tests and build pass.

…imit

secureHeaders() was called with no options, so no Content-Security-Policy
or Permissions-Policy was emitted. Add an explicit CSP (default-src 'self',
object-src 'none', frame-ancestors 'none', ...) and a minimal Permissions-Policy.

Also add hono/body-limit so oversized request bodies are rejected while
streaming instead of being fully buffered and parsed into memory before the
per-note size check runs (unbounded-body memory-exhaustion DoS).
@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant